in brief Google has announced plans to allow its business customers to begin “fingerprinting” users next year, and the UK Information Commissioner’s Office (ICO) isn’t happy about it.
Fingerprinting involves building a user profile using information about a device’s software and hardware, rather than the use of something like cookies, for advertisement targeting. Despite publicly claiming in 2019 that fingerprinting “subverts user choice and is wrong,” Google has apparently decided it’s not that big of a deal if third parties are doing it using Google’s own services.
While not mentioning fingerprinting by name in a statement or overview of planned Ad Platform changes for February 16, 2025, Google did state that it would allow partners to use “data signals” including IP addresses, “web beacons … or other identifiers” to build device profiles for better serving ads.
“In the past decade, the way people engage with the internet changed dramatically,” Google said to justify the move. The Chocolate Factory cited connected TVs as one device type that needs to serve ads that can’t collect user data in the traditional manner.
The ICO doesn’t want UK businesses to think they’ll be off the hook for relying on fingerprinting, however. ICO executive director of regulatory risk, Stephen Almond, said his office will continue to hold businesses accountable because fingerprinting isn’t transparent enough to meet UK privacy standards, and is likely to reduce people’s choice over how their data is collected and used.
“We think this change is irresponsible,” Almond said. “Businesses do not have free rein to use fingerprinting as they please. Like all advertising technology, it must be lawfully and transparently deployed – and if it is not, the ICO will act.”
Almond said the ICO is engaging with Google “on this u-turn in its position.” Google confirmed to The Guardian that it was in discussion with the ICO about the shift, but maintains user privacy will be protected despite the change.
Google, which in the past has used the motto “don’t be evil” to explain its core philosophy, also reversed course this year on a promise to eliminate third-party cookies from Chrome.
Critical vulnerabilities of the week: Do you believe in trust BeyondTrust?
After dealing with a stolen API key earlier this month, access management firm BeyondTrust is now facing an actively exploited vulnerability in its Privileged Remote Access and Remote Support products.
CVE-2024-12356 (CVSS 9.8), which allows an unauthenticated attacker to inject commands that will be run as a site user, was added to NIST’s catalog of actively exploited flaws this week. All versions are affected and patches are available, so don’t let this one sit until after the holiday break.
Elsewhere under active exploitation:
- CVSS 9.8 – CVE-2021-40407: Reolink RLC-410W security cameras contain a vulnerability in their device network settings that allow attackers to inject OS commands.
- CVSS 9.8 – CVE-2022-23227: NUUO NVRmini2 security camera control systems contain a vulnerability chain allowing an unauthenticated attacker to gain root access with code execution capabilities.
- CVSS 9.8 – CVE-2018-14933: NUOO NVRmini devices also allow for RCE via shell metacharacters thanks to a failure to neutralize special elements.
Don’t close that laptop for the holiday break yet – time to get patching.
Krispy Kreme bandits raise sticky fingers to take credit
The culprits behind a hack of systems belonging to donut chain Krispy Kreme have come forward to take credit, and it was none other than the prolific Play Ransomware gang behind the donut data heist.
Security researcher Dominic Alvieri claimed in a Thursday tweet that Play Ransomware had posted notice that it had purloined Krispy Kreme’s data and planned to publish it. Krispy Kreme has kept its sticky lips shut tightly about the nature of the attack, even refusing to tell us whether it was hit by ransomware or some other form of attack.
The Play gang has been one of the most prolific malware slingers in recent memory, with Palo Alto Networks’ Unit 42 placing it second behind LockBit 3.0 in the number of victims named in the first half of 2024. Play has been responsible for several high-profile attacks, including the theft of tens of thousands of files from the Swiss government.
Sticky fingers, indeed.
Speaking of LockBit …
Despite the high-profile disruption of LockBit by an international cadre of law enforcement in early 2024, the gang has remained relevant – and a recent report suggests they’re back in full force.
Threat intel firm DarkFeed said this week that LockBit 4.0 had arrived, suggesting the gang is anything but done being an underground industry protagonist. LockBit last released a new version of its ransomware in June 2022, which included new features and even the first-ever ransomware bug bounty program.
DarkFeed’s dashboard of active ransomware groups indicates LockBit infections have fallen precipitously over the course of 2024, with RansomHub rising to dominate in its place. If LockBit’s boasts are true, don’t expect it to stay that way.
It’s not clear what new features will be included in LockBit 4.0, but DarkFeed (and us at The Register) urge potential targets to stay vigilant, prepare defenses, get your systems updated and ensure your users are trained up.
5.6 million patients’ data compromised in Ascension healthcare hack
When the Black Basta ransomware gang hit Ascension Healthcare in May, causing the hospital system to resort to pen-and-paper operations as systems were knocked offline, it wasn’t immediately clear how many of the Catholic healthcare chain’s patients had data stolen, but now we know, and the count is huge.
According to a breach notification from the Maine Attorney General’s office, nearly 5.6 million Ascension patients had data exposed in the ransomware attack that took more than a month to resolve, per Ascension’s timeline of the incident.
Ascension said the data stolen varies by patient, and it can’t confirm what was taken on whom. Stolen data includes medical information, payment information, insurance information, government IDs, and other PII like birthdates and addresses. In short, the perfect batch of info for cybercriminals looking to steal someone’s identity.
Ascension is offering the usual credit monitoring, as well as a $1M insurance reimbursement policy, for those affected.
Lazarus ups fake job campaign with new attack chain
North Korean-linked cybercriminals with the Lazarus Group are continuing their Operation Dream Job campaign of targeting professionals in critical sectors with job-related malware lures, but they’ve introduced some new malware to keep defenders guessing.
Kaspersky threat researchers with SecureList have spotted a new form of malware hiding inside Lazarus-linked archive files claiming to be remote access tools for skill tests called “CookiePlus” that they’re warning does a good job hiding itself.
CookiePlus masquerades as the Notepad++ plugin ComparePlus, and hides itself by acting like a malware downloader, thus only transmitting minimal information to its command and control server. Despite that, it’s still able to do more.
“The problem for defenders is that CookiePlus can behave just like a downloader,” SecureList said. “This makes it difficult to investigate whether CookiePlus downloaded just a small plugin or the next meaningful payload.”
Meanwhile, CookiePlus retrieves and decrypts several payloads, putting them to work while actually behaving as “modular malware” that retrieves system information and opens the door for additional attacks.
It might be tough to keep an eye out for this one, so be sure to examine SecureList’s IOCs for CookiePlus. ®